Friend
Professional
- Messages
- 2,653
- Reaction score
- 852
- Points
- 113
Blocking a card no longer means security.
A group of security researchers has identified vulnerabilities in Apple Pay, Google Pay, and PayPal systems that allow stolen and canceled payment cards to be used for transactions. The study was presented at the Usenix Security 2024 conference.
Experts analyzed critical flaws in authentication, authorization, and access control mechanisms in major digital wallet applications and U.S. banks. The bugs found allow attackers to add stolen cards to their digital wallets and make unauthorized transactions, even if the card has been canceled or replaced.
For example, a fraudster can use the details of a stolen credit card (the owner's name and address) and add the card to various digital wallets. Different wallets use different authentication methods, and those that only require an address or zip code become easy targets for cybercriminals.
If the cardholder blocks or reissues it, the attacker can still use the card in his wallet for transactions. This situation is possible because after adding the card to a digital wallet, the bank issues a token that allows you to make purchases and is stored in the wallet. The token is not renewed after the card is replaced, but is linked to the new card, which allows you to continue purchases using the old token.
The researchers also found that many banks allow the use of less secure authentication methods, such as knowledge-based authentication (KBA), instead of the more secure multi-factor authentication (MFA). This allows the fraudster to bypass stricter security measures by choosing the KBA option, which often includes verification by date of birth and the last four digits of the social security number (SSN)
Obtaining such information is possible thanks to public databases and leaks of personal data. Recent leaks of Social Security numbers demonstrate how easy it is to obtain information for such verification.
During the experiments, the researchers were able to successfully use the blocked cards to purchase gift cards and electronics, as well as sign up for monthly subscriptions. Attackers can even enable autopayment to conduct transactions even from blocked cards. Banks, in an effort to avoid missed payments and the associated negative consequences for customers, allow such transactions.
The researchers reported their findings to U.S. banks and digital wallet providers in April 2023. At the time of publication of the study, Google is working with banks to fix the identified issues in Google Pay. Chase and Citi also said that the vulnerabilities are no longer relevant. However, Apple, PayPal and other companies have not yet commented.
The authors of the study recommend several measures to improve security: use push notifications instead of one-time passwords, apply continuous authentication when managing tokens, and check the correctness of labels for repeated transactions.
Source
A group of security researchers has identified vulnerabilities in Apple Pay, Google Pay, and PayPal systems that allow stolen and canceled payment cards to be used for transactions. The study was presented at the Usenix Security 2024 conference.
Experts analyzed critical flaws in authentication, authorization, and access control mechanisms in major digital wallet applications and U.S. banks. The bugs found allow attackers to add stolen cards to their digital wallets and make unauthorized transactions, even if the card has been canceled or replaced.
For example, a fraudster can use the details of a stolen credit card (the owner's name and address) and add the card to various digital wallets. Different wallets use different authentication methods, and those that only require an address or zip code become easy targets for cybercriminals.
If the cardholder blocks or reissues it, the attacker can still use the card in his wallet for transactions. This situation is possible because after adding the card to a digital wallet, the bank issues a token that allows you to make purchases and is stored in the wallet. The token is not renewed after the card is replaced, but is linked to the new card, which allows you to continue purchases using the old token.
The researchers also found that many banks allow the use of less secure authentication methods, such as knowledge-based authentication (KBA), instead of the more secure multi-factor authentication (MFA). This allows the fraudster to bypass stricter security measures by choosing the KBA option, which often includes verification by date of birth and the last four digits of the social security number (SSN)
Obtaining such information is possible thanks to public databases and leaks of personal data. Recent leaks of Social Security numbers demonstrate how easy it is to obtain information for such verification.
During the experiments, the researchers were able to successfully use the blocked cards to purchase gift cards and electronics, as well as sign up for monthly subscriptions. Attackers can even enable autopayment to conduct transactions even from blocked cards. Banks, in an effort to avoid missed payments and the associated negative consequences for customers, allow such transactions.
The researchers reported their findings to U.S. banks and digital wallet providers in April 2023. At the time of publication of the study, Google is working with banks to fix the identified issues in Google Pay. Chase and Citi also said that the vulnerabilities are no longer relevant. However, Apple, PayPal and other companies have not yet commented.
The authors of the study recommend several measures to improve security: use push notifications instead of one-time passwords, apply continuous authentication when managing tokens, and check the correctness of labels for repeated transactions.
Source
